---
title: Integrate with Wazuh
sidebar_label: Wazuh
support_level: community
---

## What is Wazuh

> Wazuh is a security platform that aims to safeguard data assets across multiple environments including on-site, virtualized, containerized, and cloud-based.
>
> -- https://wazuh.com

## Preparation

The following placeholders are used in this guide:

- `wazuh-dashboard.company` is the FQDN of the Wazuh Dashboard installation.
- `wazuh-indexer.company` is the FQDN of the Wazuh Indexer installation
- `authentik.company` is the FQDN of the authentik installation.

:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::

## authentik configuration

To support the integration of Wazuh with authentik, you need to create a group, a property mapping, and an application/provider pair in authentik.

### Create a user group in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Groups** and click **Create**.
3. Set a name for the group (e.g. `wazuh-administrators`) and click **Create**.
4. Click the name of the newly created group and navigate to the **Users** tab.
5. Click **Add existing user**, select the user that needs Wazuh admin access and click **Add**.

### Create a property mapping in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
    - **Name**: Choose a descriptive name
    - **SAML Attribute Name**: `Roles`
    - **Friendly Name**: Leave blank
    - **Expression**: `wazuh-administrators` is used a placeholder for the group name.

    ```python
    if ak_is_group_member(request.user, name="wazuh-administrators"):
       yield "wazuh-admin"
    ```

3. Click **Finish**.

### Create an application and provider in authentik

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)

- **Application**: provide a descriptive name (e.g., `Wazuh`), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: Select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
    - **ACS URL**: `https://wazuh-dashboard.company/\_opendistro/\_security/saml/acs`
    - **Issuer**: `wazuh-saml`
    - **Service Provider Binding**: `Post`
    - Under **Advanced protocol settings**:
        - **Property Mappings**: add the **Property Mapping** you created in the previous section.
        - **NameID Property Mapping**: select a property mapping that will be used for Wazuh usernames (e.g. `authentik default SAML Mapping: Name` or `authentik default SAML Mapping: Email`)
    - **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.

3. Click **Submit** to save the new application and provider.

### Download metadata file

1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for wazuh`).
3. Under **Related objects** > **Metadata**, click on **Download**. This downloaded file is your `SAML Metadata` file and it will be required in the next section.

## Wazuh configuration

To support the integration of authentik with Wazuh, you will need to configure SAML authentication on the Wazuh Indexer server and create role mappings on the Wazuh Dashboard server.

### Wazuh Indexer SAML configuration

:::note
The file `wazuh_authentik_meta.xml` serves as a placeholder for your SAML Metadata file. Ensure that the filename used in this context matches the name of your SAML Metadata file.
:::

1. For the next step, you will need an exchange key. To generate this key, use the following command:

    ```bash
    openssl rand -hex 32
    ```

2. Copy the downloaded metadata file to the `/etc/wazuh-indexer/opensearch-security/` directory on your Wazuh Indexer server.

3. Change the ownership of the `wazuh_authentik_meta.xml` file to the `wazuh-indexer` user using the following command:

    ```bash
    chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/wazuh_authentik_meta.xml
    ```

4. Edit the `/etc/wazuh-indexer/opensearch-security/config.yml` on your Wazuh Indexer server.

    Add a `saml_auth_domain` section after the `basic_internal_auth_domain` section. For example:

    ```yaml {7,10,13-30} showLineNumbers title="/etc/wazuh-indexer/opensearch-security/config.yml"
    ---
    authc:
        basic_internal_auth_domain:
            description: "Authenticate SAML against internal users database"
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
                type: basic
                challenge: false
            authentication_backend:
                type: intern
        saml_auth_domain:
            http_enabled: true
            transport_enabled: false
            order: 1
            http_authenticator:
                type: saml
                challenge: true
                config:
                    idp:
                        metadata_file: "/etc/wazuh-indexer/opensearch-security/wazuh_authentik_meta.xml"
                        entity_id: "wazuh-saml"
                    sp:
                        entity_id: "wazuh-saml"
                    kibana_url: "https://wazuh-dashboard.company/"
                    roles_key: Roles
                    exchange_key: "<exchange key generated in step 1>"
            authentication_backend:
                type: noop
    ```

:::note
Ensure that you set the following parameters in the `basic_internal_auth_domain` section: `order: 0` and `challenge: false`

And the `metadata_file`, `kibana_url`, and `exchange_key` parameters in the `saml_auth_domain` section.
:::

5. Run the `securityadmin.sh` script to load the configuration changes made in the `/etc/wazuh-indexer/opensearch-security/config.yml` file, ensure that you update the `-h` flag to your Wazuh Indexer FQDN:

    ```bash
    export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h wazuh-indexer.company -nhnv
    ```

6. Edit the `/etc/wazuh-indexer/opensearch-security/roles_mapping.yml` file and include `wazuh_admin` as a `backend_role` in the appropriate section. The following example adds the role to the `all_access` section:

    ```yaml showLineNumbers title="/etc/wazuh-indexer/opensearch-security/roles_mapping.yml"
    all_access:
    reserved: true
    hidden: false
    backend_roles:
    // highlight-next-line
        - "wazuh-admin"
        - "admin"
    hosts: []
    users: []
    and_backend_roles: []
    description: "Maps admin to all_access"
    ```

7. Run the `securityadmin.sh` script again but with the `-f` flag set to `/etc/wazuh-indexer/opensearch-security/roles_mapping.yml`, ensure that you update the `-h` flag to your Wazuh Indexer FQDN:

    ```bash
    export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h wazuh-indexer.company{" "} -nhnv
    ```

### Wazuh dashboard configuration

1. On the Wazuh Dashboard server, check the value of `run_as` in the `/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml` configuration file:

    ```yaml showLineNumbers title="/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml"
    hosts:
        - default:
                url: https://127.0.0.1
                port: 55000
                username: wazuh-wui
                password: "<WAZUH_WUI_PASSWORD>"
                // highlight-next-line
                run_as: false
    ```

    The `run_as` parameter when set to true, enables the assignment of roles to users based on authorization context information. See the (Wazuh Authorization Context documentation)[https://documentation.wazuh.com/current/user-manual/api/rbac/auth-context.html] for more information.

    If `run_as` is set to `false`, proceed to step 4. If `run_as` is set to `true`, proceed with the following steps to add a role mapping on the Wazuh dashboard.

2. On the Wazuh dashboard click the upper-left menu icon ☰ to open the menu, go to **Server management** -> **Security** -> **Roles mapping**

3. Click **Create Role mapping** and configure the following parameters:
    - **Role Name**: set a name for the role mapping (e.g. authentik_admins)
    - **Roles**: select a role (e.g.`administrator`)
    - **Custom rules**: Click **Add new rule** and set:
        - **User field**: `backend_roles`
        - **Search operation**: `FIND`
        - **Value**: `wazuh-admin`

    Click **Save role mapping**

4. On the Wazuh Dashboard server, add these lines to the `/etc/wazuh-dashboard/opensearch_dashboards.yml` file:

    ```yaml showLineNumbers
    opensearch_security.auth.type: "saml"
    server.xsrf.allowlist:
        [
            "/_opendistro/_security/saml/acs",
            "/_opendistro/_security/saml/logout",
            "/_opendistro/_security/saml/acs/idpinitiated",
        ]
    opensearch_security.session.keepalive: false
    ```

5. Restart the Wazuh dashboard service using the following command:

    ```bash
    sudo systemctl restart wazuh-dashboard
    ```

## Configuration verification

To confirm that authentik is properly configured with Wazuh, log out and log back in using an account that is a member of the appropriate authentik group (e.g. `wazuh-administrators`).
